Is It Identity Theft Or A Bank Robbery, Part II: Couple Sues Bank Over Money Taken

from the i've-still-got-my-identity dept

Last month, we posted an amusing discussion (and comedy act) concerning whether or not "identify theft" was really a crime, or if it was really a bank robbery where the bank was passing off the liability for its poor authentication system onto the bank customer. Apparently, just such an argument is already playing out in the courts. Steven Hoy alerts us to a story of a couple who are suing their bank, after someone masquerading as them accessed their account and transferred $26,000 to Austria. The details of the case are a bit complex, but basically, the couple claims that the bank did not live up to basic standards in authentication, and cite the Federal Financial Institutions Examination Council's claim that notes that "single-factor authentication is inadequate and calls on banks to implement two-factor systems." Thus, the argument goes, the fault was the bank's security, and thus, the bank should be liable. The judge found that to be convincing:

"In light of Citizens' apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access.... If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers' online accounts."

37 Comments | Leave a Comment..

Is It ID Theft Or Was The Bank Robbed?

from the which-one-seems-more-accurate dept

Via Clay Shirky, comes a very good point from Kevin Marks concerning claims of "identity theft," where he notes that identity theft is not actually an identity being stolen but is usually a bank/credit card company being robbed and passing off the blame for their own poor security on the victim. He point to a brilliant comedy routine by Mitchell and Webb that makes this all pretty clear:

"They took all the money? That sounds more like a bank robbery."
"No, no. If only. 'Cause we could take the hit. No, no. It was actually your identity that was stolen, primarily. It's a massive pisser for you."
"But, it's actually money that's been taken..."
"Yes"
"From you?"
"Kind of."
"I don't know what you want from me other than my commiserations."
"You see it was your identity. They said they were you!"
"And you believed them?"
"Yes, they stole your identity."
"Well, I don't know. I seem to still have my identity, whereas you seem to have lost several thousands of pounds. In light of that, I'm not sure why you think it was my identity that was stolen instead of your money."

31 Comments | Leave a Comment..

Is Deceptively Getting People To Spam Their Friends Identity Theft?

from the seems-a-bit-strong dept

Last month, the social networking site Tagged got in some PR trouble after its attempt at "viral marketing" went a little haywire, causing lots of people to inadvertently spam their friends with invites to the service (and then those who signed up may have done the same). Such things are pretty common. They're deceptive and annoying, and companies that engage in them don't tend to last very long because no one really wants to use their service. But is it identity theft?

That seems to be the claim from NY Attorney General Andrew Cuomo who is suing the company, claiming that it "stole the address books and identities of millions of people." While we in no way endorse what Tagged did -- it is deceptive and scammy -- it's definitely seems like going over the line to call it identity theft, or even address book theft. Tagged apparently quickly pulled the plug on the campaign, and while there could be an action against the company for deceptive marketing practices, one would think that the company's reputation has been so damaged already that it's not going to be able to sign up many legitimate users. Tacking on attacks about privacy invasion and identity theft seems like bit much.

12 Comments | Leave a Comment..

Low-Tech Methods Get The Blame For Most Identity Fraud

from the methodology dept

A new research study says that identity fraud rose 22 percent in 2008 from the previous year, blaming lost or stolen wallets, not data breaches, for the majority of incidents. It's important to note the terminology here: the group that conducted the research considers identity fraud -- when stolen information is actually used for financial gain -- as distinct from identity theft, which is simply when identity information is stolen. It stands to reason, then, that the occurrence of identity theft is actually far higher. Also, the numbers on how criminals obtained the information may be slightly skewed. Respondents to the survey were asked if they knew how their information was stolen, and only 35% responded that they did. Of that 35%, only 22% said it was stolen online or via a data leak. Again, it stands to reason that people whose information was stolen because their wallet was lifted or lost, or via some other noticeable method, would be more aware of it than if, say, a retailer gave up their credit card number or other info. Also, is it helpful to consider a pickpocket using a stolen credit card to be analogous to a massive data breach? While the end result might be similar for affected consumers, the method of the crime, as well as the reasons why it was allowed to happen, are very, very different. To equate pickpocketing to data breaches runs the risk of underemphasizing the risk that slack corporate or governmental security poses to large numbers of people. Gee, that doesn't sound familiar, does it?

Carlo Longino is an expert at the Insight Community. To get insight and analysis from Carlo Longino and other experts on challenges your company faces, click here.

6 Comments | Leave a Comment..

Do Grade Changing Hackers Deserve 20 Years In Jail?

from the seems-a-bit-extreme dept

Over the years, we've had numerous stories of kids caught changing their grades by hacking into school computer systems. However, is it worth a $250,000 fine and 20 years in jail? That's apparently what two men face after hacking into California State University's computer system and changing their grades. The guys have been charged with "unauthorized computer access, identity theft, conspiracy, and wire fraud." Obviously, these guys did a bad thing, but it's hard to see how the possible sentence matches with the crime. Of course, it seems unlikely that any judge would give them the maximum sentence, but even hearing that it's possible just for changing your grades seems ridiculous.

95 Comments | Leave a Comment..

Identity Fraud Victims May Soon Be Able To Sue For Time Spent Getting Their Identity Back

from the recognizing-the-pain dept

One of the biggest problems with scammers taking your ID is that the victims are the ones who have to spend all the time and money cleaning up their credit record and dealing with the fallout of the fraud with little recourse. A new bill that's going through the Senate aims to at least allow identity fraud victims to sue the scammers for the time and effort it takes to repair their lives. Of course, that depends on them figuring out who the scammer was, which isn't always easy. This certainly seems reasonable given the burden placed on the victims of such scams, but it won't lessen the pain in dealing with credit agencies who all to often don't seem particularly willing to help in the aftermath of identity fraud.

23 Comments | Leave a Comment..

Congress: P2P Promotes Identity Theft! We Need New Laws!

from the maybe-one-of-these-will-stick dept

It would appear that the entertainment industry's friends in Congress are now trying to blame just about anything evil online on P2P technology. A few months ago, a group of representatives started saying that P2P technology had to be regulated because it was a national security threat. The reasoning behind this? Because some idiot gov't employees ignored policies forbidding the use of unauthorized 3rd party apps (or putting sensitive data on home computers) and misconfigured P2P apps... ending up in secure documents being available for download. In other words, even though the real fault was stupid gov't employees ignoring policies and misusing the technology... it was the technology's fault.

Apparently, that argument didn't generate enough support for a new law against P2P technology. So now the exact same group of Congressional Representatives is claiming that P2P technology is evil and must be stopped... because it promotes identity theft. The politicians (many of whom just so happen to come from places where large entertainment firms are based... though, we're sure that's a coincidence) are clearly trying to come up with an excuse (any excuse) to come up with new laws against P2P systems. Today's action involved asking the FTC to investigate this perceived threat from P2P systems and also asked whether the FTC felt it had enough enforcement powers to address this problem, or if it needed help from Congress. In other words, the well-choreographed dance has begun. We'll soon see legislation introduced to crack down on file sharing systems, officially in the name of stopping identity theft, but really thanks to campaign contributions from the entertainment industry who still hasn't realized that it's harming itself. The more they do this, the more real innovation will move elsewhere.

20 Comments | Leave a Comment..

Why Is P2P Software The Focus In Latest Identity Theft Arrest?

from the that's-not-the-issue dept

The press has been buzzing about the fact that a Seattle man was arrested for identity theft earlier this week -- with most of the focus being on the fact that he used P2P file sharing software to find personal info about people which he then used in his identity theft scam to get credit cards under his victims' names, order products and then sell them online at half-price. Clearly, if he's found guilty of doing this, the guy was involved in a pretty massive fraud and deserves to go to jail. However, the P2P angle is an odd one, as one of the charges is "accessing a protected computer without authorization." The thing is, it wasn't without authorization. It was just that the individuals incorrectly configured their own file sharing software to expose private details. Just as some politicians want to blame P2P software for gov't employees misconfiguring it, it seems wrong to blame this guy for accessing documents that people stupidly made available. It sounds like the guy probably did plenty of other things that will get him locked up for a long time -- but unauthorized access isn't necessarily them.

15 Comments | Leave a Comment..

Ohio Data Leak Gets Pinned On The Intern

from the passing-the-buck-eye dept

You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern's car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he's being made the scapegoat for the loss. Despite the governor's claims to the contrary, of course the intern's being scapegoated, even though he apparently was just doing what he was told. That's how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he'd been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn't take the security of other people's personal info very seriously. That's the problem here: nobody seems to care when it's other people's data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it's not a good one. Until that changes -- and the scapegoating and responsibility shirking stops -- data leaks and breaches are going to keep on coming.

31 Comments | Leave a Comment..

Does LifeLock Charge Extra To Coerce Suspected Identity Thieves?

from the smooth-move dept

LifeLock, a company that sells some identity theft protection services that consumers could get for free, got some bad press last month. Not only did it come out that one of the company's founders had allegedly stolen personal information from customers of another business he owned, it was also disclosed that LifeLock's services failed to protect the company's CEO from identity theft. A man in the Dallas area used the CEO's social security number -- which is prominently displayed in LifeLock's marketing materials -- to obtain a $500 loan, and police were waiting to get some subpoenaed information when the CEO took things into his own hands. He showed up at the fraudster's house with a film crew, and apparently coerced a confession out of the guy, who police say is mentally disabled. The confession is legally worthless, and police and prosecutors say it's tainted the case, so they're not going to proceed with their investigation, and have no plans to arrest the suspect. So, it would appear, that not only do LifeLock's anti-identity theft measures not work, the company also manages to bungle the prosecution of identity thieves.

69 Comments | Leave a Comment..

Feds' Edict To Encrypt Hard Drives Gets -- You Guessed It -- Ignored

from the surprise! dept

Back in May, the Transportation Security Administration did its best to gloss over the fact that it lost a hard drive containing personal information on some 100,000 of its employees by putting out a press release about it at 7 o'clock on a Friday evening. Now, a few months later, it's disclosed that the drive wasn't encrypted (via Threat Level), in contravention of a White House order from last summer saying that all devices containing personal data need to be encrypted if they're taken outside secure areas. As we've noted, these sorts of edicts and guidelines are meaningless unless they're actually followed, and non-compliance brings real repercussions.

29 Comments | Leave a Comment..